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Abstract 

A theory is complete if it does not contain a contradiction, while all 
of its proper extensions do. In this paper, first we introduce a relative 
notion of syntactic completeness; then we prove that adding exceptions to 
a programming language can be done in such a way that the completeness 
of the language is not made worse. These proofs are formalized in a logical 
system which is close to the usual syntax for exceptions, and they have 
been checked with the proof assistant Coq. 


1 Introduction 

In computer science, an exception is an abnormal event occurring during the 
execution of a program. A mechanism for handling exceptions consists of two 
parts: an exception is raised when an abnormal event occurs, and it can be 
handled later, by switching the execution to a specific subprogram. Such a 
mechanism is very helpful, but it is difficult for programmers to reason about 
it. A difficulty for reasoning about programs involving exceptions is that they 
are computational effects, in the sense that their syntax does not look like their 
interpretation:typically, a piece of program with arguments in X that returns a 
value in Y is interpreted as a function from X + E toY + E where E is the set of 
exceptions. On the one hand, reasoning with f : X ^ Y is close to the syntax, 
but it is error-prone because it is not sound with respect to the semantics. On 
the other hand, reasoning with / : X + E —>■ Y + E is sound but it loses most of 
the interest of the exception mechanism, where the propagation of exceptions 
is implicit: syntactically, f : X ^ Y may be followed by any g : Y ^ Z, 
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since the mechanism of exceptions will take care of propagating the exceptions 
raised by /, if any. Another difficulty for reasoning about programs involving 
exceptions is that the handling mechanism is encapsulated in a try-catch block, 
while the behaviour of this mechanism is easier to explain in two parts (see for 
instance [10, Ch. 14] for Java or [3, §15] for C++): the catch part may recover 
from exceptions, so that its interpretation may be any f : X + E ^ Y E, 
but the try-catch block must propagate exceptions, so that its interpretation 
is determined by some f : X ^ Y + E. 

In [8] we defined a logical system for reasoning about states and exceptions 
and we used it for getting certified proofs of properties of programs in computer 
algebra, with an application to exact linear algebra. This logical system is called 
the decorated logic for states and exceptions. Here we focus on exceptions. The 
decorated logic for exceptions deals with f : X ^ Y, without any mention of E, 
however it is sound thanks to a classification of the terms and the equations. 
Terms are classified, as in a programming language, according to the way they 
may interact with exceptions: a term either has no interaction with exceptions 
(it is “pure”), or it may raise exceptions and must propagate them, or it is 
allowed to catch exceptions (which may occur only inside the catch part of a 
try-catch block). The classification of equations follows a line that was intro¬ 
duced in [4]: besides the usual “strong” equations, interpreted as equalities of 
functions, in the decorated logic for exceptions there are also “weak” equations, 
interpreted as equalities of functions on non-exceptional arguments. This logic 
has been built so as to be sound, but little was known about its completeness. 
In this paper we prove a novel completeness result: the decorated logic for ex¬ 
ceptions is relatively Hilbert-Post complete, which means that adding exceptions 
to a programming language can be done in such a way that the completeness of 
the language is not made worse. For this purpose, we first define and study the 
novel notion of relative Hilbert-Post completeness, which seems to be a relevant 
notion for the completeness of various computational effects: indeed, we prove 
that this notion is preserved when combining effects. Practically, this means 
that we have defined a decorated framework where reasoning about programs 
with and without exceptions are equivalent, in the following sense: if there ex¬ 
ists an unprovable equation not contradicting the given decorated rules, then 
this equation is equivalent to a set of unprovable equations of the pure sublogic 
not contradicting its rules. 

Informally, in classical logic, a consistent theory is one that does not contain 
a contradiction and a theory is complete if it is consistent, and none of its proper 
extensions is consistent. Now, the usual {“absolute^^) Hilbert-Post completeness, 
also called Post completeness, is a syntactic notion of completeness which does 
not use any notion of negation, so that it is well-suited for equational logic. In 
a given logic L, we call theory a set of sentences which is deductively closed: 
everything you can derive from it (using the rules of L) is already in it. Then, 
more formally, a theory is (Hilbert-Post) consistent if it does not contain all 
sentences, and it is (Hilbert-Post) complete if it is consistent and if any sentence 
which is added to it generates an inconsistent theory [20, Def. 4]. 

All our completeness proofs have been verified with the Coq proof assistant. 
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First, this shows that it is possible to formally prove that programs involving 
exceptions comply to their specifications. Second, this is of help for improving 
the confidence in the results. Indeed, for a human prover, proofs in a decorated 
logic require some care: they look very much like familiar equational proofs, 
but the application of a rule may be subject to restrictions on the decoration 
of the premises of the rule. The use of a proof assistant in order to check that 
these unusual restrictions were never violated has thus proven to be quite useful. 
Then, many of the proofs we give in this paper require a structural induction. 
There, the correspondence between our proofs and their Coq counterpart was 
eased, as structural induction is also at the core of the design of Coq. 

A major difficulty for reasoning about programs involving exceptions, and 
more generally computational effects, is that their syntax does not look like their 
interpretation: typically, a piece of program from X to F is not interpreted as 
a function from X to F, because of the effects. The best-known algebraic 
approach for dealing with this problem has been initiated by Moggi: an effect 
is associated to a monad T, in such a way that the interpretation of a program 
from X to F is a function from X to r(F) [13]: typically, for exceptions, 
r(F) = Y + E. Other algebraic approaches include effect systems [12], Lawvere 
theories [17], algebraic handlers [18], comonads [21, 15], dynamic logic [14], 
among others. Some completeness results have been obtained, for instance for 
(global) states [16] and for local states [19]. The aim of these approaches is 
to extend functional languages with tools for programming and proving side- 
effecting programs; implementations include Haskell [2], Idris [11], Eff [1], while 
Ynot [22] is a Coq library for writing and verifying imperative programs. 

Differently, our aim is to build a logical system for proving properties of 
some families of programs written in widely used non-functional languages like 
Java or C-|--|-^. The salient features of our approach are that: 

( 1 ) The syntax of our logic is kept close to the syntax of programming languages. 
This is made possible by starting from a simple syntax without effect and by 
adding decorations, which often correspond to keywords of the languages, for 
taking the effects into account. 

( 2 ) We consider exceptions in two settings, the programming language and the 
core language. This enables for instance to separate the treatment, in proofs, of 
the matching between normal or exceptional behavior from the actual recovery 
after an exceptional behavior. 

In Section 2 we introduce a relative notion of Hilbert-Post completeness in 
a logic L with respect to a sublogic Lq. Then in Section 3 we prove the relative 
Hilbert-Post completeness of a theory of exceptions based on the usual throw 
and try-catch statement constructors. We go further in Section 4 by estab¬ 
lishing the relative Hilbert-Post completeness of a core theory for exceptions 
with individualized TRY and CATCH statement constructors, which is useful for 
expressing the behaviour of the try-catch blocks. All our completeness proofs 
have been verified with the Coq proof assistant and we therefore give the main 

^For instance, a denotational semantics of our framework for exceptions, which relies on 
the common semantics of exceptions in these languages, was given in [8, § 4]. 
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ingredients of the framework used for this verification and the correspondence 
between our Coq package and the theorems and propositions of this paper in 
Section 5. 

2 Relative Hilbert-Post completeness 

Each logic in this paper comes with a language, which is a set of formulas, 
and with deduction rules. Deduction rules are used for deriving (or generating) 
theorems, which are some formulas, from some chosen formulas called axioms. A 
theory T is a set of theorems which is deductively closed, in the sense that every 
theorem which can be derived from T using the rules of the logic is already in 
T. We describe a set-theoretic intended model for each logic we introduce; the 
rules of the logic are designed so as to be sound with respect to this intended 
model. Given a logic L, the theories of L are partially ordered by inclusion. 
There is a maximal theory Tmax, where all formulas are theorems. There is a 
minimal theory T^m, which is generated by the empty set of axioms. For all 
theories T and T', we denote by T -|- T' the theory generated from T and T'. 

Example 2.1. With this point of view there are many different equational logics, 
with the same deduction rules but with different languages, depending on the 
definition of terms. In an equational logic, formulas are pairs of parallel terms 
{f,g) . X —^ y and theorems are equations f = g : X ^ Y. Typically, the 
language of an equational logic may be defined from a signature (made of sorts 
and operations). The deduction rules are such that the equations in a theory 
form a congruence, i.e., an equivalence relation compatible with the structure of 
the terms. For instance, we may consider the logic “of naturals” with its 

language generated from the signature made of a sort N, a constant 0 : 1 N 
and an operation s : N ^ N. For this logic, the minimal theory is the theory “of 
naturals” T„at, the maximal theory is such that s^ = s^ and o 0 = o 0 for all 
natural numbers k and i, and (for instance) the theory “of naturals modulo 6” 
Tmode can be generated from the equation s® = id at. We consider models of 
equational logics in sets: each type X is interpreted as a set (still denoted X), 
which is a singleton when X is 1, each term f : X ^ Y as a function from X 
to Y (still denoted f : X ^ Y), and each equation as an equality of functions. 

Definition 2.2. Given a logic L and its maximal theory T^ax, a theory T is 
consistent if T ^ T^ax, and it is Hilbert-Post complete if it is consistent and if 
any theory containing T coincides with Tmax or with T. 

Example 2.3. In Example 2.1 we considered two theories for the logic Lnat' the 
theory “of naturals” Tnat and the theory “of naturals modulo 6” Tmode- Since 
both are consistent and Tmode contains Tnat, the theory Tnat is not Hilbert-Post 
complete. A Hilbert-Post complete theory for Lnat is made of all equations but 
s = idpf, it can be generated from the axioms so0 = 0 and sos = s. 

If a logic L is an extension of a sublogic Lq, each theory Tq of Lq generates 
a theory F{To) of L. Conversely, each theory T of L determines a theory 


4 


G{T) of Lq, made of the theorems of T which are formulas of Lqj so that 
G{Tmax) = Tmaxfi- The functions F and G are monotone and they form a 
Galois connection, denoted F -\ G: for each theory T of L and each theory Tq of 
Lq we have F{To) C T if and only if Tq C G{T). It follows that Tq C G{F{To)) 
and F{G{T)) C T. Until the end of Section 2, we consider: a logic Lq, an 
extension L of Lq, and the associated Galois connection F -\ G. 

Definition 2.4. A theory T' of L is Lo-derivable from a theory T of L if 
T' = T + F{Tq) for some theory Tq oi Lq. A theory T of L is (relatively) 
Hilbert-Post complete with respect to Lq if it is consistent and if any theory of L 
containing T is Lo"derivable from T. 

Each theory T is Lo-derivable from itself, as T = T + F{Tmin,o), where 
Train, 0 Is the minimal theory of Lq. In addition, Theorem 2.6 shows that rel¬ 
ative completeness lifts the usual “absolute” completeness from Lq to L, and 
Proposition 2.7 proves that relative completeness is well-suited to the combina¬ 
tion of effects. 

Lemma 2.5. For each theory T of L, a theory T' of L is LQ-derivable from 
T if and only if T' = T + F(G{T')). As a special case, Tmax is LQ-derivable 
from T if and only if Tmax = T F{Tmax,o)- ^ theory T of L is Hilbert-Post 
complete with respect to Lq if and only if it is consistent and every theory T' 
of L containing T is such that T' =T F(G{T')). 

Proof. Clearly, if T' = T -|- F{G(T')) then T' is Lg-derivable from T. So, 
let Tq be a theory of Lq such that T' = T -\- F{T(), and let us prove that 
T' = T F{G{T')). For each theory T' we know that F{G(T')) C T'; since 
here T FT' we get T -|-T(G(T')) C T'. Conversely, for each theory Tg we know 
that T( C G(T(T^)) and that G{F{T()) C G(T) -k G(T(T^)) C G(T-kT(T^)), 
so that T( C G(T -k F{T())- since here T' = T -k F{T() we get first T( C G(T') 
and then T' C T -k F{G{T')). Then, the result for Tmax comes from the fact 
that G(Tmax) = Tmax,o- The last point follows immediately. □ 

Theorem 2.6. Let Tq be a theory of Lq and T = F(Tq). //Tq is Hilbert-Post 
complete (in Lq) and T is Hilbert-Post complete with respect to Lq, then T is 
Hilbert-Post complete (in L). 

Proof. Since T is complete with respect to Lq, it is consistent. Since T = F{Tq) 
we have Tq C G{T). Let T' be a theory such that T C T' . Since T is complete 
with respect to Lq, by Lemma 2.5 we have T' = T -\- F{T() where Tg = G{T'). 
Since T C T', Tq C G(T) and Tg = G{T'), we get Tg C Tg. Thus, since Tg is 
complete, either T( = Tg or Tg = Tmax,o', let us check that then either T' = T or 
T' = Tmax. If T( = Tq then F{T() = F{Tq) = T, so that T' = T + F[T() = T. 
If Tg = Tmax,o then F{T() = F{Tmax,o)', since T is complete with respect to 
Lq, the theory Tmax is Lg-derivable from T, which implies (by Lemma 2.5) that 
Tmax = T -k F(Tmax,o) = T^ □ 

Proposition 2.7. Let Li be an intermediate logic between Lq and L, let Fi H Gi 
and F 2 -I G 2 be the Galois connections associated to the extensions Li of Lq 
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and L of Li, respectively. Let Ti = Fi(Tq). If Ti is Hilbert-Post complete 
with respect to Lq and T is Hilbert-Post complete with respect to Li then T is 
Hilbert-Post complete with respect to Lq. 

Proof. This is an easy consequence of the fact that F = F 2 o Fi. □ 

Corollary 2.10 provides a characterization of relative Hilbert-Post complete¬ 
ness which is used in the next Sections and in the Coq implementation. 

Definition 2.8. For each set E of formulas let Th{E) be the theory generated 
by E; and when E = {e} let Th{e) = Th{{e}). Then two sets Ei, E 2 of 
formulas are T-equivalent if T -|- Th{Ei) = T -\- Th{E 2 )', and a formula e of L is 
pQ-derivable from a theory T of L if {e} is T-equivalent to Eq for some set Eq 
of formulas of Lq. 

Proposition 2.9. Let T be a theory of L. Each theory T' of L containing T is 
Lo-derivable from T if and only if each formula e in L is Lo-derivable from T. 

Proof. Let us assume that each theory T' of L containing T is Lo-derivable from 
T. Let e be a formula in L, let T' = T-\- Th{e), and let Tq be a theory of Lq such 
that T' = T -\- F{Tq). The definition of Th\—) is such that T/i(Tg) = F{Tq), so 
that we get T -\- Th{e) = T -\- Th{EQ) where Eq = Tq. Conversely, let us assume 
that each formula e in L is Lo"derivable from T. Let T' be a theory containing 
T. Let T" = T + F{G{T')), so that T C T" C T' (because F{G{T')) C T' for 
any T'). Let us consider an arbitrary formula e in T', by assumption there is 
a set Eq of formulas of Lq such that T -\- Th{e) = T -\- Th{Eo). Since e is in 
T' and T C T' we have T -\- Th{e) C T', so that T -\- TL^Eq) C T'. It follows 
that Eq is a set of theorems of T' which are formulas of Lq, which means that 
Eq C G{T'), and consequently Th{EQ) C F{G{T')), so that T-h Th{EQ) C T". 
Since T -\- Th{e) = T -\- Th{EQ) we get e € T". We have proved that T' = T", 
so that T' is Lg-derivable from T. □ 

Corollary 2.10. A theory T of L is Hilbert-Post complete with respect to Lq 
if and only if it is consistent and for each formula e of L there is a set Eq of 
formulas of Lq such that {e} is T-equivalent to Eq. 

3 Completeness for exceptions 

Exception handling is provided by most modern programming languages. It 
allows to deal with anomalous or exceptional events which require special pro¬ 
cessing. E.g., one can easily and simultaneously compute dynamic evaluation 
in exact linear algebra using exceptions [8]. There, we proposed to deal with 
exceptions as a decorated effect: a term f : X ^ Y is not interpreted as a 
function f : X ^ Y unless it is pure. A term which may raise an exception is 
instead interpreted as a function f : X ^ Y-\-E where “-I-” is the disjoint union 
operator and E is the set of exceptions. In this section, we prove the relative 
Hilbert-Post completeness of the decorated theory of exceptions in Theorem 3.5. 
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As in [8] , decorated logics for exceptions are obtained from equational logics 
by classifying terms. Terms are classified as pure terms or propagators, which is 
expressed by adding a decoration or superscript, respectively (0) or (1); decora¬ 
tion and type information about terms may be omitted when they are clear from 
the context or when they do not matter. All terms must propagate exceptions, 
and propagators are allowed to raise an exception while pure terms are not. 
The fact of catching exceptions is hidden: it is embedded into the try-catch 
construction, as explained below. In Section 4 we consider a translation of the 
try-catch construction in a more elementary language where some terms are 
catchers, which means that they may recover from an exception, i.e., they do 
not have to propagate exceptions. 

Let us describe informally a decorated theory for exceptions and its intended 
model. Each type X is interpreted as a set, still denoted X. The intended model 
is described with respect to a set E called the set of exceptions, which does not 
appear in the syntax. A pure term : X —>■ E is interpreted as a function u : 
X ^ Y and a propagator : X ^ Y as a function a : X ^ Y + E; equations 
are interpreted as equalities of functions. There is an obvious conversion from 
pure terms to propagators, which allows to consider all terms as propagators 
whenever needed; if a propagator : X ^ Y “is” a pure term, in the sense 
that it has been obtained by conversion from a pure term, then the function 
a : X Y + E is such that a{x) G Y for each x G X. This means that 
exceptions are always propagated: the interpretation of {b o : X -p- Z 

where : X —>■ F and 6*-^^ : Y ^ Z is such that {b o a){x) = b{a{x)) when 
a{x) is not an exception and (b o a)(x) = e when a(x) is the exception e (more 
precisely, the composition of propagators is the Kleisli composition associated 
to the monad X + E [13, § 1]). Then, exceptions may be classified according 
to their name, as in [8]. Here, in order to focus on the main features of the 
proof of completeness, we assume that there is only one exception name. Each 
exception is built by encapsulating a parameter. Let P denote the type of 
parameters for exceptions. The fundamental operations for raising exceptions 
are the propagators throwy^ : P —>■ F for each type F: this operation throws an 
exception with a parameter p of type P and pretends that this exception has type 
F. The interpretation of the term throwy ^ : P ^ F is a function throwy : P —>■ 
F-l-P such that throwy(p) G E for eachp G P. The fundamental operations for 
handling exceptions are the propagators (try(a)catch(6))*^^) : X —>■ F for each 
terms a : X ^ Y and b : P ^ Y: this operation first runs a until an exception 
with parameter p is raised (if any), then, if such an exception has been raised, 
it runs b{p). The interpretation of the term (try(a)catch(6))*'^^ : X F is a 
function try(a)catch(&) : X —F -|- P such that (try(a)catch(6))(a:) = a{x) 
when a is pure and (try(a)catch(6))(a;) = b(p) when a{x) throws an exception 
with parameter p. 

More precisely, first the definition of the monadic equational logic L^q is 
recalled in Fig. 1, (as in [13], this terminology might be misleading: the logic is 
called monadic because all its operations are have exactly one argument, this is 
unrelated to the use of the monad of exceptions). 
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Terms are closed under composition: 


life o • • • o ui : Xo^Xk for each {ui : Xi_i—and idx ' X^X when k = I 

u u = V u = V V = w 
Kules: (eqmv) - - - 


(subs) 

Ul o u = U2 o u 
Empty type 0 with terms [ ]r • 0 


.u = w 
■ (repl) 


Y and rule: 


ui = W 2 : X —>■ y w.Y 
W O Vl = W O V2 
(initial) 

u=IIy 


Figure 1: Monadic equational logic Lgg (with empty type) 


A monadic equational logic is made of types, terms and operations, where all 
operations are unary, so that terms are simply paths. This constraint on arity 
will make it easier to focus on the completeness issue. For the same reason, we 
also assume that there is an empty type 0, which is defined as an initial object: 
for each Y there is a unique term [ ]y : © —)■ y and each term : Y —>■ © is 
the inverse of [ ]y^. In the intended model, © is interpreted as the empty set. 

Then, the monadic equational logic L^g is extended to form the decorated 
logic for exceptions L^xc by applying the rules in Fig. 2, with the following 
intended meaning: 

• (initiali): the term[]vis unique as a propagator, not only as a pure term. 

• (propagate): exceptions are always propagated. 

• (recover): the parameter used for throwing an exception may be recovered. 

• (try): equations are preserved by the exceptions mechanism. 

• (tryo): pure code inside try never triggers the code inside catch. 

• (tryi): code inside catch is executed when an exception is thrown in¬ 
side try. 

The theory of exceptions Tg^c is the theory of Lg^c generated from some arbitrary 
consistent theory Tgg of Lgg-, with the notations of Section 2, Tgj;c = F{Tgq). 
The soundness of the intended model follows: see [8, §5.1] and [6], which are 
based on the description of exceptions in Java [10, Ch. 14] or in C-|—|- [3, §15]. 

Example 3.1. Using the naturals for P and the successor and predecessor func¬ 
tions (resp. denoted s and p) we can prove, e.g., that try(s(throw 3))catch(p) 
is equivalent to 2. Indeed, first the rule (propagate) shows that s(throw 3)) = 
throw 3, then the rules (try) and (tryi) rewrite the given term into p(3). 

Now, in order to prove the completeness of the decorated theory for ex¬ 
ceptions, we follow a classical method (see, e.g., [16, Prop 2.37 & 2.40]): we 
first determine canonical forms in Proposition 3.2, then we study the equations 
between terms in canonical form in Proposition 3.3. 


8 









Pure part: the logic Leq with a distinguished type P 
Decorated terms: throw^^ : P ^ Y for each type Y, 

(try(a)catch(fo))^^^ : X ^ Y for each : X ^ Y and : P —>■ Y, and 
(flfe o ... o :Xo-s-Xk for each (af*> : Xi_i ^ Xi)i<i<fc 

with conversion from : X Y to : X —>■ Y 
Rules: 


(equiv), (subs), (repl) for all decorations 


(initiali) 


0->-Y 
a^Ur 


(recover) 


u 


( 0 ) „(o) . 


, u. 


: X —7- P throwy o ui = throwy o U 2 


Ul = U2 


(propagate) 
(tryo) 


,(i) 


X y 


a o throwx = throwy 
^ Y b^^'>:P-^ Y 


try(M)catch(&) = u 


(try) 

(tryi) 


b^^'>-.P-^Y 

try(ai)catch(&) = try(a 2 )catch(fe) 
J°'>:X -» P b^^'>-.P Y 

try (throwy o u)catch(&) = b o u 


Figure 2: Decorated logic for exceptions Lexc 


Proposition 3.2. For each :X ^Y, either there is a pure term : X ^Y 

such that a = u or there is a pure term :X^P such that a = throwyou. 

Proof. The proof proceeds by structural induction. If a is pure the result is 
obvious, otherwise a can be written in a unique way as a = 5 o op o u where v is 
pure, op is either throwy for some Z or try(c)catch(d) for some c and d, and 
b is the remaining part of a. If a = 6^^) o throwy o then by (propagate) 
a = throwy o Otherwise, a = 6^^) o (try(c^t))catch((i*^t))) o then by 
induction we consider two cases. 

• If c = then by (tryo) a = and by induction we consider 

two subcases: if 6 = t^^^ then a = {t o w o and if & = throwy o 
then a = throwy o (t o w o v)^^\ 

• If c = throwy o ryO) then by (tryi) a = b^^^ o o o and by 
induction we consider two subcases: if 6 o d = then a = (t o w o 
and if & o d = throwy o then a = throwy o [t o w o v)^^\ 

□ 

Thanks to Proposition 3.2, the study of equations in the logic Lg^c can be 
restricted to pure terms and to propagators of the form throwy o v where v is 
pure. 

Proposition 3.3. For all : X ^ P let = throwy oui : X —t T and 

= throwy o U 2 : X —t T. Then is Tgxc-eQuivalent to = v^\ 
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Proof. Clearly, if vi = vi then oi = 02 - Conversely, if oi = 02 , i.e., if throwy o 
vi = throwy o V 2 , then by rule (recover) it follows that vi = V 2 . □ 

In the intended model, for all u : X ^ P and : X F, it is impossible 
to have throwy(r!i(a;)) = V 2 (x) for some x € X, because throwy(ui(a;)) is in 
the E summand and V 2 {x) in the Y summand of the disjoint union Y + E. 
This means that the functions throwy o vi and V 2 are distinct, as soon as their 
domain X is a non-empty set. For this reason, it is sound to make the following 
Assumption 3.4. 

Assumption 3.4. In the logic Texo the type of parameters P is non-empty, and 
for all : X ^ P and : X ^Y with X non-empty, let = throwy orii : 
X ^Y. Then is re 2 ;c-equivalent to Tmax,o- 

Theorem 3.5. Under Assumption 3.4, the theory of exceptions is Hilbert- 
Post complete with respect to the pure sublogic L^g of Lexc- 

Proof. Using Corollary 2.10, the proof relies upon Propositions 3.2 and 3.3. 
The theory T^xc is consistent, because (by soundness) it cannot be proved that 
throwp^ = id^pK Now, let us consider an equation between terms with domain 
X and let us prove that it is Texc-equivalent to a set of pure equations. When 
X is non-empty, Propositions 3.2 and 3.3, together with Assumption 3.4, prove 
that the given equation is Texc-equivalent to a set of pure equations. When X 
is empty, then all terms from X to U are equivalent to [ ]y so that the given 
equation is Texc-equivalent to the empty set of pure equations. □ 

4 Completeness of the core language for excep¬ 
tions 

In this section, following [8], we describe a translation of the language for ex¬ 
ceptions from Section 3 in a core language with catchers. Thereafter, in Theo¬ 
rem 4.7, we state the relative Hilbert-Post completeness of this core language. 
Let us call the usual language for exceptions with throw and try-catch, as 
described in Section 3, the programmers’ language for exceptions. The docu¬ 
mentation on the behaviour of exceptions in many languages (for instance in 
Java [10]) makes use of a core language for exceptions which is studied in [8]. 
In this language, the empty type plays an important role and the fundamental 
operations for dealing with exceptions are tag^^^ ; P —0 for encapsulating a 
parameter inside an exception and untag*^^) : 0 ^ P for recovering its parameter 
from any given exception. The new decoration (2) corresponds to catchers: a 
catcher may recover from an exception, it does not have to propagate it. More¬ 
over, the equations also are decorated: in addition to the equations ’=’ as in 
Section 3, now called strong equations, there are weak equations denoted 

As in Section 3, a set E of exceptions is chosen; the interpretation is ex¬ 
tended as follows: each catcher f^^'> : X —)• T is interpreted as a function 
f:X + E^Y + E, and there is an obvious conversion from propagators to 
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catchers; the interpretation of the composition of catchers is straightforward, 
and it is compatible with the Kleisli composition for propagators. Weak and 
strong equations coincide on propagators, where they are interpreted as equali¬ 
ties, but they differ on catchers: ^ : X ^ Y means that the functions 

f,g:X + E^Y + E coincide on X, but maybe not on E. The interpretation 
of : P —> 0 is an injective function tag : P ^ E and the interpretation of 

untag(^) : 0 —>■ P is a function untag : E ^ P + E such that untag(tag(p)) = p 
for each parameter p. Thus, the fundamental axiom relating tag*^^^ and untag^^^ 
is the weak equation untag o tag ^ idp. 


Pure part: the logic Leq with a distinguished type P 
Decorated terms: : P —^ 0, untag^^l: 0 —>■ P, and 

(/fe o ... o /^)(—(di,...,d,)) ,Xo^Xk for each ^ W)i<i<fe 

with conversions from to and from to 
Rules: 

(equiv=), (subs=), (repl=) for all decorations 

(equiv....), (repR) for all decorations, (subs.v.) only when h is pure 


(empty 


f-O^Y 


(eqi) 

(eq2) 

(eqs) 


/: 


(di) 


" I Y 
f(d2) 


(=-to-~) 


f = 9 


(ax) 


h = h 

/i,/2: /i ~/2 h 


f g untag o tag ~ idp 

only when di < 1 and d 2 < 1 

X = h ° []x 


h = h 

fi,f 2 - 0 ^x /i o tag ~/2 O tag 


fl=f2 


Figure 3: Decorated logic for the core language for exceptions Lf-^c-core 

More precisely, the decorated logic for the core language for exceptions Lexc-core 
is defined in Fig. 3 as an extension of the monadic equational logic Leq. There 
is an obvious conversion from strong to weak equations (=-to-~), and in ad¬ 
dition strong and weak equations coincide on propagators by rule (eqi). Two 
catchers f [^'^, : X ^ Y behave in the same way on exceptions if and only 

if /i o [ ]x = /2 o [ ]x : © —>■ y, where [ ]x : © —i- builds a term of type X 
from any exception. Then rule (eq 2 ) expresses the fact that weak and strong 
equations are related by the property that /i = /2 if and only if fi ~ /2 and 
/i o [ ]x = /2 o [ ]x. This can also be expressed as a pair of weak equations: 
fi = /2 if and only if fi ~ /2 and /i o [ ]x o tag --- /2 o [ ]x o tag by rule (eqa). 
The core theory of exceptions Texc-core is the theory of Lexc-core generated from 
the theory Teg of Peg- Some easily derived properties are stated in Lemma 4.1; 
which will be used repeatedly. 

Lemma 4.1. 1. For all pure terms u® : X ^ P, the equation ui = U 2 

is Texc-core-equiualent to tagoui = tagou 2 and also to untagotagoui = 
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untag o tag o U 2 - 

2. For all pure terms : X ^ P, : X —0, the equation u = [ ]p o u 
is Texc-core-squivalent to tag o u = v. 

Proof. 1. Implications from left to right are clear. Conversely, if untagotago 
Ml = untago tag o M 2 , then using the axiom (ax) and the rule (subs.^.,) we 
get Ml ^ M 2 . Since mi and M 2 are pure this means that mi = M 2 . 

2. First, since tag o [ ]p : 0 —>■ 0 is a propagator we have tag o [ ]p = ido. 
Now, if M = [ ]p o M then tag o u = tag o [ ]p o m = m. Conversely, if 
tag o u = V then tag o u = tag o [ ]p o m, and by Point 1 this means that 

M = [ ]p O M. 

□ 

The operation untag in the core language can be used for decomposing the 
try-catch construction in the programmer’s language in two steps: a step for 
catching the exception, which is nested into a second step inside the try-catch 
block: this corresponds to a translation of the programmer’s language in the 
core language, as in [8], which is reminded below; then Proposition 4.2 proves 
the correctness of this translation. In view of this translation we extend the 
core language with: 

• for each : P ^ Y, a catcher (CATCH(&))*^^) : Y ^ Y such that 
CATCH(6) ^ idy and CATCH(6) o [ ]f = bo untag: if the argument of 
CATCH(&) is non-exceptional then nothing is done, otherwise the parame¬ 
ter p of the exception is recovered and b{p) is ran. 

• for each : X ^ Y and : Y —>■ P, a propagator (TRY(a, : 

X ^ Y such that TRY(a, k) ^ k o a: thus TRY(a, k) behaves as fc o a on 
non-exceptional arguments, but it does always propagate exceptions. 

Then, a translation of the programmer’s language of exceptions in the core 
language is easily obtained: for each type Y, throwy^ = [ ]v otag : P ^Y. and 
for each :X^Y, b^^^ :P^Y, (try(a)catch(&))(^^ =TRY(a, CATCH(5)) :X —>■ 
Y. This translation is correct: see Proposition 4.2. 

Proposition 4.2. If the pure term [ ]v : 0 ^ P is a monomorphism with 
respect to propagators for each type Y, the above translation of the programmers ’ 
language for exceptions in the core language is correct. 

Proof. We have to prove that the image of each rule of Lexc is satisfied. It 
should be reminded that strong and weak equations coincide on Lexc- 

• (propagate) For each : X —>• P, the rules of Lexc-core imply that 
a o [ ]j(- = [ ]y, so that a o [ ]j(- o tag = [ ]y o tag. 

• (recover) For each Mi°\ M 2 °^ : X—>• P, if [ J^otagoMi = [ ]yotagoM 2 since 
[ ]y is a monomorphism with respect to propagators we have tag o mi = 
tag o M 2 , so that, by Point 1 in Lemma 4.1, we get mi = M 2 . 
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• (try) Since try(ai)catch(&) ~ catch( 6 )oai for i G {1, 2}, we get try(ai)catch(&) ~ 
try(a 2 )catch( 6 ) as soon as oi = 02 - 

• (tryo) For each : X —>• F and : P ^Y, we have TRY(?i, CATCH( 6 )) ~ 

CATCH(&) o u and CATCH( 6 ) o m ~ u (because CATCH( 6 ) ~ id and u is pure), 
so that TRY(u,CATCH(&)) ~ u. 

• (tryi) For each : X —>• P and : P —>• F, we have TRY([ ]y o tag o 
M, CATCH( 6 )) ~ CATCH( 6 ) o [ ]y o tag o m and CATCH( 6 ) o[]Y^b o untag 
so that TRY([ ]y o tag o u, CATCH( 6 )) ~ 6 o untag o tag o u. We have also 
untag o tag o rt ~ u (because untag o tag ^ id and u is pure), so that 
TRY([ ]y o tag o u, CATCH( 6 )) ~ A o u. 

□ 

Example 4.3 (Continuation of Example 3.1). We here show that it is possible 
to separate the matching between normal or exceptional behavior from the re¬ 
covery after an exceptional behavior: to prove that try(s(throw 3))catch(p) 
is equivalent to 2 in the core language, we first use the translation to get: 

TRY(so[ ]otago3, CATCH(p)). Then (empty^) shows that so[]tago3 ^ []otago3. 

Now, the TRY and CATCH translations show that TRY([ ] o tag o 3,CATCH(p)) ~ 
CATCH(p) o [ ] o tag o 3 ^ p o untag o tag o 3. Finally the axiom (ax) and (eqi) 
give p o 3 = 2. 

In order to prove the completeness of the core decorated theory for excep¬ 
tions, as for the proof of Theorem 3.5, we first determine canonical forms in 
Proposition 4.4, then we study the equations between terms in canonical form 
in Proposition 4.5. Let us begin by proving the fundamental strong equation for 
exceptions ( 1 ): by replacement in the axiom (ax) we get tagountagotag ^ tag, 
then by rule (eqs): 

tag o untag = ido ( 1 ) 

Proposition 4.4. 1. For each propagator : X ^ Y, either a is pure or 

there is a pure term : X —> P such that o tag^^^ o . 

And for each propagator : X —^ © (either pure or not), there is a pure 
term : X ^ P such that = tag^^^ o 

2. For each catcher : X ^ Y, either f is a propagator or there is 
an propagator : P ^ Y and a pure term : X —>■ P such that 
f^"^^ = o untag(^) o tag^^^ o . 

Proof. 1. If the propagator : X F is not pure then it contains at 
least one occurrence of tag*-^). Thus, it can be written in a unique way 
as a = 5 o tag o v for some propagator b^^'> : 0 ^ F and some pure term 
: X —>■ P. Since b^^'> : 0 ^ F we have b^^'> = [ ]y\ and the first result 
follows. When X = 0, it follows that = tag^^^ When a : X ^ 0 

is pure, one has a = tag*^^) o ([ ]p o a)^^\ 
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2. The proof proceeds by structural induction. If / is pure the result is 
obvious, otherwise / can be written in a unique way as / = g o op o u 
where u is pure, op is either tag or untag and g is the remaining part 
of /. By induction, either 5 is a propagator or g = b o untag o tag o u 
for some pure term v and some propagator b. So, there are four cases to 
consider. (1) If op = tag and g is a propagator then / is a propagator. (2) 
If op = untag and g is a propagator then by Point 1 there is a pure term w 
such that u = tagorc, so that / = g^^'^ o untag o tag o . (3) If op = tag 

and g = o untag o tag o then f = b o untag o tag o v o tag o u. 
Since u : 0 —>■ P is pure we have tag o v = id®, so that / = b^^^ o 
untag o tag o (4) If op = untag and g = 6 *-^^ o untag o tag o 

then f = b o untag o tag o v o untag o u. Since v is pure, by (ax) and 
(subs,^) we have untag o tag o v ^ v. Besides, by (ax) and (repl,^.,) we 
have u o untag o tag ^ v and untagotagouountagotag ^ untagotago 
V. Since ^ is an equivalence relation these three weak equations imply 
untag o tag o v o untag o tag ~ n o untag o tag. By rule (eqa) we get 
untag o tag o n o untag = v o untag, and by Point 1 there is a pure term 
w such that u = tag o w, so that f = {b o o untag o tag o 

□ 


Thanks to Proposition 4.4, in order to study equations in the logic Te^c-cor-e 
we may restrict our study to pure terms, propagators of the form [ ]y ^ o tag*^^^ o 
and catchers of the form o untag^^^ o tag^^^ o 

Proposition 4.5. 1. For all : P ^ Y and : X ^ P, let 

( 2 ) (2) 

/f = ai ountagotagoui : X ^ Y and = 02 ountagotagoU 2 : X 

Y , then fi ^ /2 is Texc-core-equivalent to ai o ui = 02 o U 2 and fi = /2 is 

Texc-core-equivalent to {oi = 02 , oi o = 02 o m 2 }- 

2. For all : P ^ Y, : X ^ P and : X ^ Y, let = ai o 
untagotagoui : X ^ Y, then fi ^ 02 is Texc-core-equivalent to aioui = 02 
and fi = 02 is Texc-core-equivalent to {oi oui = 02 , Oi = [ ]y o tag}. 

3. Let us assume that [ is a monomorphism with respect to propagators. 
For all 02 °^ : X ^ P, let o^^^ = [ ]y o tag o vi : X ^ Y and 

®2^^ = [ ]v o tag o V 2 ■ X ^ Y. Then oi = 02 is Texc-core-equivalent to 
Vi = V2. 

Proof. 1. Rule (eq 2 ) implies that /i = /2 if and only if /i ~ /2 and /io[ ]x = 
/20 []x- On the one hand, fi ^ /2 if and only if oioui = 02002 : indeed, for 
each i G {1,2}, by (ax) and (subs,^), since Ui is pure we have fi Oi out. 
On the other hand, let us prove that /i o [ ]x = f 2 ° [ ]x if and only 
if oi = 02 . For each i G {1,2}, the propagator tag o m o [ : 0 ^ © 

satisfies tag o m o [ ]x = id^, so that fi o [ ]x = Ui o untag. Thus, 
fi°[]x = /2 o [ ]jf if and only if oi o untag = 020 untag. Clearly, if 
oi = 02 then oiountag = 02 0 untag. Conversely, if oiountag = 02 0 untag 
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then aiountagotag = 02 ountagotag, so that by (ax) and (repl^) we get 
oi ^ 02 , which means that oi = 02 because ai and 02 are propagators. 

2. Rule (eq 2 ) implies that fi = 02 if and only if fi ~ 02 and fi o []x = 

02 o [ ]x. On the one hand, fi 02 if and only if oi o ui = 02 : indeed, 
by (ax) and (subs,^), since ui is pure we have fi ^ oi o ui. On the 
other hand, let us prove that /i o [ ]x = 02 o [ ]x if and only if oi = 
[ ]y o tag, in two steps. Since 02 o [ ]x : 0 —h" is a propagator, we 
have 02 o [ ]x = [ ]y- Since /i o [ = oi o untag o tag o ui o [ ]x with 

tag o ui o [ ]x : 0 0 a propagator, we have tag o ui = id 0 and 

thus we get /i o [ ] jc = oi o untag. Thus, /i o [ ] = 02 o [ if and only if 

Oi o untag = [ ]y. If oi o untag = [ ]y then oi o untag o tag = [ ]y o tag, 
by (ax) and (repl,^) this implies oi o tag, which is a strong equality 

because both members are propagators. Conversely, if oi = [ ]y o tag 
then oi o untag = [ ]y o tag o untag, by the fundamental equation (1) 
this implies oi o untag = [ ]y. Thus, oi o untag = [ ]y if and only if 
Oi = []y otag. 

3. Clearly, if vi = V 2 then [ ]y o tag o ui = [ ]y o tag o ti 2 . Conversely, if 
[ ]y o tag o ui = [ ]y o tag o V 2 then since [ ]y is a monomorphism with 
respect to propagators we get tagoui = tagoti 2 , so that untagotagoui = 
untagotagou 2 . Now, from (ax) we get vi V 2 , which means that vi = V 2 
because Vi and V 2 are pure. 

□ 


Assumption 4.6 is the image of Assumption 3.4 by the above translation. 
Assumption 4.6. In the logic Lgxc-core, the type of parameters P is non-empty, 
and for all u® : X ^ P and : X ^ Y with X non-empty, let = 
[ ]y o tag o ui : X ^ Y. Then is Tg^jc-equivalent to Tmax,o- 

Theorem 4.7. Under Assumption 4-6, the theory of exceptions Texc-core is 
Hilbert-Post complete with respect to the pure sublogic L^q of Lexc-core- 

Proof. Using Corollary 2.10, the proof is based upon Propositions 4.4 and 4.5. It 
follows the same lines as the proof of Theorem 3.5, except when X is empty: be¬ 
cause of catchers the proof here is slightly more subtle. First, the theory Te^c-core 
is consistent, because (by soundness) it cannot be proved that untag^^^ = [ ]p^ 
Now, let us consider an equation between terms fi, f 2 ■ X ^ Y, and let us prove 
that it is Te 2 ,c-core-equivalent to a set of pure equations. When X is non-empty. 
Propositions 4.4 and 4.5, together with Assumption 4.6, prove that the given 
equation is Te^jc-core-equivalent to a set of pure equations. When X is empty, 
then fi - []v and /2 ~ [ ]y, so that if the equation is weak or if both fi 
and /2 are propagators then the given equation is Tea;c-core-equivalent to the 
empty set of equations between pure terms. When X is empty and the equation 
is fi = f 2 with at least one of /i and /2 a catcher, then by Point 1 or 2 of 
Proposition 4.5, the given equation is Texc-core-^'Y^Y^sleai to a set of equations 
between propagators; but we have seen that each equation between propagators 
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(whether X is empty or not) is Te 2 ;c_core-equivalent to a set of equations between 
pure terms, so that fi = /2 is Te^jc-core-equivalent to the union of these sets of 
pure equations. □ 

5 Verification of Hilbert-Post Completeness in 
Coq 

All the statements of Sections 3 and 4 have been checked in Coq. The proofs can 
be found in http://forge.imag.fr/frs/download.php/680/hp-0.7.tar.gz, 
as well as an almost dual proof for the completeness of the state. They share 
the same framework, defined in [9]: 

1 . the terms of each logic are inductively defined through the dependent type 
named term which builds a new Type out of two input Types. For instance, 
term Y X is the Type of all terms of the form f : X —>■ Y; 

2. the decorations are enumerated: pure and propagator for both languages, 
and catcher for the core language; 

3. decorations are inductively assigned to the terms via the dependent type 
called is. The latter builds a proposition (a Prop instance in Coq) out of a 
term and a decoration. Accordingly, is pure (id X) is a Prop instance; 

4. for the core language, we state the rules with respect to weak and strong 
equalities by defining them in a mutually inductive way. 

The completeness proof for the exceptions core language is 950 SLOC in 
Coq where it is 460 SLOC in lAQ^^X. Full certification runs in 6.745s on a Intel 
i7-3630QM @2.40GHz using the Coq Proof Assistant, v. 8.4pl3. Below table 
details the proof lengths and timings for each library. 


Proof lengths & Benchmarks 

package 

source 

length 

length 

execution time 



in Coq 

in WT^ 

in Coq 

exc_cl-hp 

HPCompleteCoq.v 

40 KB 

15 KB 

6.745 sec. 

exc_pl-hp 

HPCompleteCoq.v 

8 KB 

6 KB 

1.704 sec. 

exc_trans 

Translation.V 

4 KB 

2 KB 

1.696 sec. 

st-hp 

HPCompleteCoq.v 

48 KB 

15 KB 

7.183 sec. 


The correspondence between the propositions and theorems in this paper 
and their proofs in Coq is given in Fig. 4, and the dependency chart for the 
main results in Fig. 5. For instance, Proposition 3.3 is expressed in Coq as: 

forall {X Y} Cal a2: term X Y) (vl v2: term (Val e) Y), 

(is pure vl) /\ (is pure v2) /\ 

(al = ((©throw X e) o vl)) /\ (a2 = ((©throw X e) o v2)) -> ((al == a2) <-> (vl == v2)). 
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hp-0.7/exc trans/Translation.v 

Proposition 4.2 (propagate) 

propagate 

Proposition 4.2 (recover) 

recover 

Proposition 4.2 (try) 

try 

Proposition 4.2 (tryo) 

tryo 

Proposition 4.2 (tryi) 

tryi 


hp-0.7/exc pl-hp/HPCompleteCoq.v 

Proposition 3.2 
Proposition 3.3 
Assumption 3.4 
Theorem 3.5 

canJorm.th 

eq_th_l_eq_pu 

eq_th_pu_abs 

HPC_exc_pl 


hp-0.7/exc cl-hp/HPCompleteCoq.v 

Proposition 4.4 Point 1 
Proposition 4.4 Point 2 
Assumption 4.6 
Proposition 4.5 Point 1 
Proposition 4.5 Point 2 
Proposition 4.5 Point 3 
Theorem 4.7 

canJorm.pr 

can_form_ca 

eq_pr_pu_abs 

eq_ca_2_eq_pr 

eq_ca_pr_2_eq_pr 

eq_pr_l_eq_pu 

HPC_exc_core 


Figure 4: Correspondence between theorems in this paper and their Coq coun¬ 
terparts 


can_form_ca_ 

^ eq_ca_l_or_2_eq_pr 

eq_ca_pr_2_eq_pr 


can_f orm_pr ^_ 

eq_pr_l_eq_pu —> eq_pr_abs_or_l_eq_pu 

eq_ca_abs_or_2_eq_pu 

HPC_exc 

eq_pr_pu_abs ^ 


eq_pr_dom_emp 

e q_c a_ab s _2 _e q_pu_dom_emp 


Figure 5: Dependency chart for the main results 


6 Conclusion and future work 

This paper is a first step towards the proof of completeness of decorated logics 
for computer languages. It has to be extended in several directions: adding basic 
features to the language (arity, conditionals, loops, ...), proving completeness 
of the decorated approach for other effects (not only states and exceptions); the 
combination of effects should easily follow, thanks to Proposition 2.7. 
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A Completeness for states 

Most programming languages such as C/C++ and Java support the usage and 
manipulation of the state (memory) structure. Even though the state structure 
is never syntactically mentioned, the commands are allowed to use or manipu¬ 
late it, for instance looking up or updating the value of variables. This provides 
a great flexibility in programming, but in order to prove the correctness of pro¬ 
grams, one usually has to revert to an explicit manipulation of the state. There¬ 
fore, any access to the state, regardless of usage or manipulation, is treated as 
a computational effect: a syntactical term f : X ^ Y is not interpreted as 
f : X ^ Y unless it is pure, that is unless it does not use the variables in 
any manner. Indeed, a term which updates the state has instead the following 
interpretation: f : X x S ^ Y x S where ‘x’ is the product operator and S is 
the set of possible states. In [9], we proposed a proof system to prove program 
properties involving states effect, while keeping the memory manipulations im¬ 
plicit. We summarize this system next and prove its Hilbert-Post completeness 
in Theorem A.6. 

As noticed in [8], the logic Lexc-core is exactly dual to the logic Lgt for states 
(as reminded below). Thus, the dual of the completeness Theorem 4.7 and of all 
results in Section 4 are valid, with the dual proof. However, the intended models 
for exceptions and for states rely on the category of sets, which is not self-dual, 
and the additional assumptions in Theorem 4.7, like the existence of a boolean 
type, cannot be dualized without loosing the soundness of the logic with respect 
to its intended interpretation. It follows that the completeness Theorem A.6 for 
the theory for states is not exactly the dual of Theorem 4.7. In this Appendix, 
for the sake of readability, we give all the details of the proof of Theorem A.6; 
we will mention which parts are not the dual of the corresponding parts in the 
proof of Theorem 4.7. 

As in [5], decorated logics for states are obtained from equational logics by 
classifying terms and equations. Terms are classified as pure terms, accessors or 
modifiers, which is expressed by adding a decoration or superscript, respectively 
(0), (1) and (2); decoration and type information about terms may be omitted 
when they are clear from the context or when they do not matter. Equations are 
classified as strong or weak equations, denoted respectively by the symbols = 
and ~. Weak equations relates to the values returned by programs, while strong 
equations relates to both values and side effects. In order to observe the state, 
accessors may use the values stored in locations, and modifiers may update these 
values. In order to focus on the main features of the proof of completeness, let us 
assume that only one location can be observed and modified; the general case, 
with an arbitrary number of locations, is considered in Remark A.7. The logic 
for dealing with pure terms may be any logic which extends a monadic equational 
logic with constants Leq,i] its terms are decorated as pure and its equations are 
strong. This pure sublogic is extended to form the corresponding decorated 
logic for states L^f The rules for Lgt are given in Fig. 6. A theory of 
is chosen, then the theory of states Tst is the theory of Lst generated from 
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Let us now discuss the logic Lgt and its intended interpretation in sets; it is 
assumed that some model of the pure subtheory in sets has been chosen; 
the names of the rules refer to Fig. 6 . 

Each type X is interpreted as a set, denoted X. The intended model is 
described with respect to a set S called the set of states, which does not appear 
in the syntax. A pure term : A —>■ E is interpreted as a function u : X ^ Y, 
an accessor : A ^ E as a function a : S x X —)• A, and a modifier 
: A —> A as a function f: SxX^SxY. There are obvious conversions 
from pure terms to accessors and from accessors to modifiers, which allow to 
consider all terms as modifiers whenever needed; for instance, this allows to 
interpret the composition of terms without mentioning Kleisli composition; the 
complete characterization is given in [5] . 

Here, for the sake of simplicity, we consider a single variable (as done, e.g., 
in [16] and [19]), and dually to the choice of a unique exception name in Section 4. 
See Remark A.7 for the generalization to an arbitrary number of variables. 
The values of the unique location have type V. The fundamental operations 
for dealing with the state are the accessor lookup*^^) : 1 —>• A for reading 
the value of the location and the modifier update*^^) : A —> 1 for updating 
this value. According to their decorations, they are interpreted respectively as 
functions lookup : S' —>■ A and update : S x A S. Since there is only one 
location, it might be assumed that lookup : S —>■ A is a bijection and that 
update : S X A —)• S maps each (s,u) G S x A to the unique s' G S such that 
lookup(s') = v: this is expressed by a weak equation, as explained below. 

A strong equation f = g means that / and g return the same result and 
modify the state in “the same way”, which means that no difference can be 
observed between the side-effects performed by / and by g. Whenever lookup : 
S —>• A is a bijection, a strong equation = g^‘^'> : A —> A is interpreted as 
the equality f = g : S x X ^ S xY: for each (s, x) € S xX, let f{s, x) = (s', y') 
and g{s, x) = (s", y"), then f = g means that y' = y" and s' = s" for all (s, x). 
Strong equations form a congruence. A weak equation f g means that / 
and g return the same result although they may modify the state in different 
ways. Thus, a weak equation ^ g^'^^ : A ^ A is interpreted as the equality 
pry o f = pxy o g ■. S X X ^ Y, where pry : S xY —>• A is the projection; 
with the same notations as above, this means that y' = y" for all {s,x). Weak 
equations do not form a congruence: the replacement rule holds only when the 
replaced term is pure. The fundamental equation for states is provided by rule 
(ax): lookup^^^ oupdate*-^^ ^ idy■ This means that updating the location with 
a value v and then observing the value of the location does return v. Clearly 
this is only a weak equation: its right-hand side does not modify the state while 
its left-hand side usually does. There is an obvious conversion from strong to 
weak equations (=-to-~), and in addition strong and weak equations coincide 
on accessors by rule (eqi). Two modifiers flff^'X^Y modify the state 
in the same way if and only if ( )y o /i = ()y o /2 : A 1, where ( )v : A —)• 1 
throws out the returned value. Then weak and strong equations are related by 
the property that /i = /2 if and only if /i ~ /2 and ( )y o fi = { )y o f 2 , 
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by rule (eq2). This can be expressed as a pair of weak equations /i ~ /2 and 
lookup o { )y ° fi lookup o( )r 0/2, by rule (eqa). Some easily derived 
properties are stated in Lemma A.l; Point 2 will be used repeatedly. 


Monadic equational logic with constants Leq,i: 
Types and terms: as for monadic equational logic, plus 
a unit type 1 and a term {) x ■ X ^ 1 for each X 

Rules: as for monadic equational logic, plus (unit) 


f--x 


f^{)^ 


Decorated logic for states Lst: 

Pure part: some logic extending Leq,i, with a distinguished type V 
Decorated terms: lookup ^^^: 1 ^ V, update^^l: P —>■ 1, and 

{fkO---o (di.....d,)) ,Xo^Xk for each : Xi_i ^ Ai)i<i<fc 

with conversions from to and from to 
Rules: 

(equiv=), (subs=), (repl=) for all decorations 

(equiv.^), (subs.^) for all decorations, (repl.^.) only when h is pure 

f^g 


(unit.^ 

(eqi) 

(eq2) 

(eqs) 


n 


f' 

(di) 


{ )x 

f (<^ 2 ) 

^ J 2 


(=-to—) 


(ax) 


h = h 

fi,f2-.X- 


f ^ g lookup o update ~ idv 

■ only when di < 1 and ^2 < 1 

y /l ~ /2 ( )v o /i = ( )y O /2 


fl,f2-.X^l 


h = 

lookup o 


lookup o /2 


h=f2 


Figure 6 : Decorated logic for states (dual to Fig. 3) 

Lemma A.l. 1. update o lookup = id±. (this is the fundamental strong 
equation for states). 

2 . each f^^^ : 1 —>■ 1 is such that f idt, each f^^^: X ^ 1 is such that 
f = {)x, o-n-d each f ^^^: 1 —>■ 1 fs such that f = idt. 

3. For all pure terms : P —?> T, one has: ui = U 2 is Tgt-equivalent 

to ui o lookup = U 2 o lookup and also to ui o lookup o update = U 2 o 
lookup o update. 

4 . For all pure terms : V ^ Y, : 1 —> T, one has: u = v o {)v is 

TSt-equivalent to uo lookup = v. 

Proof. 1. By substitution in the axiom (ax) we get lookupoupdateolookup ^ 
lookup; then by rule (eqs) update o lookup = idt. 

2. Clear. 

3. Implications from left to right are clear. Conversely, if ui o lookup o 
update = U 2 o lookup o update, then using the axiom (ax) and the rule 
(repl.s.) we get ui ^ U 2 . Since ui and U 2 are pure this means that ui = U 2 . 
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4. First, since ( )volookup : 1 —5> 1 is an accessor we have ()volookup = idt- 
Now, if M = z;o( )y then rtolookup = vo( )yolookup, so that uolookup = 
V. Conversely, if u o lookup = v then u o lookup = n o ( )y o lookup, and 
by Point (3) this means that u = v o {)y. 

□ 

Our main result is Theorem A.6 about the relative Hilbert-Post completeness 
of the decorated theory of states under suitable assumptions. 

Proposition A.2. 1. For each accessor : A —> P, either a is pure or 

there is a pure term : V ^ Y such that o lookup^^^ o ( . 

For each accessor : 1 —^ P (either pure or not), there is a pure term 
-v^Y such that o lookup^^^ 

2. For each modifier : A —>• P, either f is an accessor or there is an 
accessor : A —> P and a pure term : P —> P such that = 
o lookup^^^ o update^^) o . 

Proof. 1. If the accessor : A ^ P is not pure then it contains at least 
one occurrence of lookup^^^. Thus, it can be written in a unique way as 
a = V o lookup o b for some pure term : P —>■ P and some accessor 
: A —>• 1. Since : A 1 we have b^^'^ = ( and the first 
result follows. When A = 1, it follows that o lookup^^^. When 

a : 1 ^ P is pure, one has a = (a o ( o lookup^^^. 

2. The proof proceeds by structural induction. If / is pure the result is 
obvious, otherwise / can be written in a unique way as / = u o op o g 
where u is pure, op is either lookup or update and g is the remaining part 
of /. By induction, either g is an accessor or g = v o lookup o update o b 
for some pure term v and some accessor b. So, there are four cases to 
consider. 

• If op = lookup and g is an accessor then / is an accessor. 

• If op = update and g is an accessor then by Point 1 there is a pure 

term w such that u = icolookup, so that / = olookupoupdateo 

• If op = lookup and g = o lookup o update o b^^^ then / = 

u o lookup o u o lookup o update o b. Since u : P —>■ 1 is pure we have 

V o lookup = idt, so that / = o lookup o update o b^^\ 

• If op = update and g = o lookup o update o 6(^1 then / = 
u^°^oupdateou*-°^olookupoupdateo6l^). Since v is pure, by (ax) and 
(repl,..,) we have uolookupoupdate ~ v. Besides, by (ax) and (subs,^) 
we have lookup o update ov'^v and lookup o update ovo lookup o 
update ^ uolookupoupdate. Since is an equivalence relation these 
three weak equations imply lookup o update ovo lookup o update ^ 
lookupoupdateou. By rule (eqa) we get updateouolookupoupdate = 
update o v, so that / = o update o (u o 6)1^1. 
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□ 


Thanks to Proposition A. 2 , in order to study equations in the logic Lst we 
may restrict our study to pure terms, accessors of the form olookup*^^) o { 
and modifiers of the form o lookup^^^ o update^^^ o 

Point 4 in Proposition A .2 is not dual to Point 1 in Proposition 4.4 

Proposition A.3. 1 . For all : X ^ V and : V ^Y, let 

( 2 ) ( 2 ) 

^ = itiolookupoupdateoai : X and ' = M2°lookupoupdateo 

02 ■ X ^Y, then fi /2 is Tgt-equivalent to uioai = U2oa2 and fi = /2 

is Tst-equivalent to {oi = 02 , mi o oi = U2 o 02}. 

2 . For all : X ^ V, : V ^ Y and 02^^ : X ^ Y, let = 
Ml o lookup o update o oi : X ^ T, then f\ ^ 02 is Tst-equivalent to 
uioai = 02 /i = 02 is Tst-equivalent to {miooi =02, oi = lookupo( )x}- 

3 . Let us assume that { is an epimorphism with respect to accessors. 

For all : V ^ Y let o^^^ = Mi o lookup o { )x : X ^ Y and 

02^^ = V2 o lookup o { )x : X ^ Y. Then oi = 02 is Tst-equivalent to 

Ml = M2. 

4 - Let us assume that ( is an epimorphism with respect to accessors and 
that there exists a pure term : 1 —> A. For all m|*^^ : V ^ Y and 
v^'^ : A —> T, let o^^^ = mi o lookup o [ )x : A —^ A. Then oi = M2 is 
Tst-equivalent to {vi = V2 o kx o {)v , V2 = V2 o kx o { )x}. 

Proof. 1 . Rule (eq2) implies that fi = f2 if and only if /i ~ /2 and ( )yo/i = 
( )y ° f2- On the one hand, fi ^ f2 if and only if mi ooi =01002: indeed, 
for each i G { 1 , 2 }, by (ax) and (repl,^.,), since Ui is pure we have ft Uioat. 
On the other hand, let us prove that ( )y o /i = ( )y o /2 if and only if 

Oi = 02- 

• For each i G {1,2}, the accessor ( )y o m^ o lookup : 1 —1 satisfies 
( )y o Mi o lookup = id-i, so that ( )y o /^ = update o at. Thus, 
( )y o /i = ( )y o /2 if and only if update o oi = update o 02 - 

• Clearly, if oi = 02 then update o oi = update o 02. Conversely, if 
update 001= update o 02 then lookup o update 001= lookup o 
update o 02, so that by (ax) and (subs,^) we get oi ^ 02, which 
means that oi = 02 because oi and 02 are accessors. 

2 . Rule (eq2) implies that fi = 02 if and only if fi ~ 02 and ( )y o /i = 
( )y o 02. On the one hand, fi ~ 02 if and only if mi o oi =02: indeed, by 
(ax) and (repA), since mi is pure we have fi ^ Miooi. On the other hand, 
let us prove that ( )y o /i = ( )y o 02 if and only if oi = lookup o ( )x, in 
two steps. 
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• Since ( )y 002 : X —>• 1 is an accessor, we have {)Yoa 2 = {)x- Since 
()y o fi = {)y o Ui o lookup o update o ai with ( )y o iti o lookup : 
1 —> 1 an accessor, we have ( )y o ui o lookup = idt and thus we get 
{ )y ° fi = update o oi. Thus, ( )y o = ( )y o 02 if and only if 
update o oi = ( )x- 

• If update o oi = ( )x then lookup o update o oi = lookup o ( )x, 
by (ax) and (subs^) this implies ai ^ lookup o ( )x, which is a 
strong equality because both members are accessors. Conversely, if 
Oi = lookup o ( )x then update o oi = update o lookup o ( )x, 
by Point 1 in Lemma A.l this implies update o m = ( )x- Thus, 
update o oi = ( )x if and only if oi = lookup °()x. 

3. Clearly, if vi = V 2 then oi = 02 - Conversely, if ai = 02 , i.e., if riiolookupo 
()x = V 20 lookup o ( )x, since ( )x is an epimorphism with respect to 
accessors we get vi o lookup = V2 o lookup. By Point 3 in Lemma A.l, 
this means that vi = V 2 - 

4. Let = U 2 o fcx : 1 —!> T. Let us assume that vi = W 2 o { )v and 
V 2 = W 2 o{ )x- Equation ui = W 2 o{ )v implies ai = W 2 o{ )Yolookupo( )x. 
Since {)v ° lookup = idt we get oi = W 2 o {)x- Then, equation V 2 = 
W 20 {)x implies ai = V 2 - Conversely, let us assume that ai = V 2 , which 
means that vi o lookup o ( )x = V 2 - Then vi o lookup o ( )x o kx ° {)v = 
V 2 okx o{ )y, which reduces to vi o lookupo {)y = W 20 {)v ■ Since ( )v is 
an epimorphism with respect to accessors we get vi o lookup = W 2 , which 
means that vi = W 2 °()y by Point 4 in Lemma A.l. Now let us come 
back to equation vi o lookup o { )x = V 2 ] since vi = W 2 o { )v, it yields 
W2 O {)v O lookup O ( )x = V2, so that W 2 O {)x = V2- 

□ 

The assumption for Theorem A.6 comes form the fact that the existence 
of a pure term : 1 —>■ A, which is used in Point 4 of Proposition A.3, 
is incompatible with the intended model of states if X is interpreted as the 
empty set. The assumption for Theorem A.6 is not dual to the assumption for 
Theorem 4.7. 

Definition A.4. A type X is inhabited if there exists a pure term : 1 —>■ A. 
A type 0 is empty if for each type Y there is a pure term [ : 0 ^ A, and 

every term /:©—>• A is such that / = [ Jy. 

Remark A.5. When A is inhabited then for any : 1 ^ A we have ( )x°kx = 
idt, so that ( )x is a split epimorphism; it follows that ( )x is an epimorphism 
with respect to all terms, and especially with respect to accessors. 

Theorem A.6. If every non-empty type is inhabited and if V is non-empty, 
the theory of states Tgt is Hilbert-Post eomplete with respect to the pure sublogie 
ofL^t. 
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Proof. Using Corollary 2.10, the proof relies upon Propositions A.2 and A.3. 
it follows the same lines as the proofs of Theorems 3.5 and 4.7. The theory 
Tst is consistent: it cannot be proved that update^^^ = { because the logic 
Lst is sound with respect to its intended model and the interpretation of this 
equation in the intended model is false as sson as V has at least two elements: 
indeed, for each state s and each x G V, lookup o update(a;, s) = x because 
of (ax) while lookup o ( )y(a:, s) = lookup(s) does not depend on x. Let us 
consider an equation (strong or weak) between terms with domain X in Lst ; we 
distinguish two cases, whether X is empty or not. When X is empty, then all 
terms from X to T are strongly equivalent to [ ]y, so that the given equation 
is Tst-equivalent to the empty set of equations between pure terms. When X 
is non-empty then it is inhabited, thus by Remark A.5 ( )x is an epimorphism 
with respect to accessors. Thus, Propositions A.2 and A.3 prove that the given 
equation is Tjt-equivalent to a finite set of equations between pure terms. □ 

Remark A.7. This can be generalized to an arbitrary number of locations. The 
logic Lst and the theory Tst have to be generalized as in [5], then Proposition A.2 
has to be adapted using the basic properties of lookup and update, as stated 
in [17]; these properties can be deduced from the decorated theory for states, 
as proved in [9]. The rest of the proof generalizes accordingly, as in [16]. 
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